For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Open sourceSupportFAQsDocs Home
DocumentationAPI referenceRelease notes
DocumentationAPI referenceRelease notes
  • Platform On-Prem
    • Overview
    • Navigate
    • Search resources
  • Apps
    • FlowAI
      • Overview
      • Concepts
      • Navigate UI
        • Install and configure
        • Migrate inventory from IAG 4
        • Tags and organization
        • Security and access control
      • Create and populate inventories
      • Manage inventories
      • Automate inventory updates
      • Create and manage actions
      • Send commands and configurations
      • Device broker support
      • Configure driver options
    • Itential Automation Gateway
  • Resources
    • Itential Academy
    • Version lifecycle
    • Itential MCP
    • Accessibility conformance
    • Get support
    • FAQs
LogoLogo
Open sourceSupportFAQsDocs Home
On this page
  • Role-based access control
  • Core roles
  • How access control works
  • Grant access to inventories
  • Secrets management
  • Store credential references
  • How secret resolution works
AppsInventory ManagerDeploy and manage

Security and access control

Was this page helpful?
Previous

Create and populate inventories

Next
Built with

Inventory Manager enforces role-based access control at the inventory level and integrates with the Itential Platform secrets manager for credential management.

Role-based access control

Access to inventories, nodes, and actions is controlled through five core roles. Each inventory specifies one or more user groups, and users with appropriate roles in those groups can perform the corresponding operations.

Core roles

  • inventory:read: View inventories, nodes, and actions
  • inventory:create: Create new inventories, nodes, and actions
  • inventory:update: Modify existing resources and manage actions
  • inventory:delete: Remove inventories, nodes, and actions
  • inventory:run: Execute actions against nodes

How access control works

Inventory-level control:

  • Access is controlled at the inventory level through group membership
  • Each inventory specifies one or more groups when created
  • Users must have the appropriate role for the inventory’s groups to perform operations

Example:

1{
2  "name": "prod-routers",
3  "groups": ["network-ops", "network-admins"],
4  "description": "Production router inventory"
5}

Users in the network-ops or network-admins groups with the inventory:read role can view this inventory. Users with inventory:run can execute actions against its nodes.

Grant access to inventories

1

Ensure the user is a member of at least one group assigned to the inventory.

2

Grant the appropriate Inventory Manager role to the user in that group.

3

The user can now perform operations based on their role.

For details on managing users and groups, see Authentication overview in the Admin Essentials documentation. For details on managing users and groups in on-prem deployments, see Authorization in the Admin Essentials documentation.

For details on managing users and groups in cloud deployments, see Manage users and groups in the Cloud Hub Administration documentation.

Secrets management

Inventory Manager integrates with secrets manager to handle credentials securely. Credentials are never stored in Inventory Manager — only references to secrets are stored.

Store credential references

Reference credentials using the $SECRET_path $KEY_path format in node attributes, action config, or action parameters:

1{
2  "name": "core-router-1",
3  "attributes": {
4    "ipaddress": "10.1.1.1",
5    "username": "$SECRET_path $KEY_path",
6    "password": "$SECRET_path $KEY_path"
7  }
8}

How secret resolution works

Secrets are resolved at runtime when actions execute:

  1. Action execution begins against a node
  2. Inventory Manager identifies $SECRET references in the node attributes and action parameters
  3. Inventory Manager queries secrets manager for the actual credentials
  4. Credentials are passed to the IAG 5 service
  5. The service connects to the device using the resolved credentials

Benefits:

  • Credentials never appear in inventory data or logs
  • Safe to pass inventory data through workflows
  • Credentials are fetched fresh on each action execution